<quote who="Andy Eager"> > Jeff, I absolutley respect your opinion, after all you pointed me in the > direction of postfix in all its glory and I owe a great many beeeeeeers > for that and a great many emails on other things as well. However, I dont > know that H323 (as esoteric as it may be) is what we were talking about > here. Masquerading of _WELL KNOWN SERVICES_ like telnet, realaudio, ssh > etc is the key point.
Those are all simple, apart from RealAudio, but it does http these days, and a bunch of other simpler protocols. So they're the easy ones. > As far as I can see, NAT (a particular case of masquerading) has a > limitation with these well known services when compared with ipchains. Well, masquerading is a specialised for of Source NAT (that's a textbook answer, from a remarkably unreliable textbook), not the other way around. Read about the difference here: http://netfilter.samba.org/unreliable-guides/NAT-HOWTO/NAT-HOWTO.linuxdoc-6.html > The old helper tasks handle connection tracking (which is a real > bastard) as well as NAT... Particularly if you need to masquerade > through both bastion and choke firewalls. The new helper modules do this; for odd protocols such as FTP, IRC, H323, etc., you still need to have extra code to handle them effectively. So yeah, your average, everyday stuff works fine with 2.4 kernels, and there are NAT and conntrack modules for a few protocols, but not as many are available as for 2.2. Thus, if you want to be able to provide those services via SNAT or masquerade, you need to stick with 2.2. For the record, our customers are using 2.4 firewalls, because netfilter is so much nicer, and they don't have odd protocol requirements. - Jeff -- "I'm offering you my body, and you're offering me semantics." - Caitlin, Clerks -- SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
